Distributed Denial of Service Attack Detection Using a Machine Learning Approach

Abstract

A distributed denial of service (DDoS) attack is a type of cyber-attack in which the perpetrator aims to deny the services on a network/server by inundating the traffic on the network/server by superfluous requests which renders it incapable to serve requests from legitimate users. According to Corero Network Security (A DDoS protection and mitigation provider), in Q3 2017, organizations around the world experienced an average of 237 DDoS attack attempts per month, which averages to 8 DDoS attacks every day. This was a 35% increase over Q2 that year and a staggering 91% increase over Q1. According to another research by Incapsula, a DDoS attack costs an average of $40,000 per hour to businesses. There are commercially available software which detect and mitigate a DDoS attack, but the high cost of these software makes them hard to afford for small and mid-scale businesses. The proposed work aims to fill this gap by providing real time open-source robust web application for DDoS attack prediction which can be used by small to mid-scale industries to keep their networks and servers secure from malicious DDoS attacks. A Machine Learning approach is used to employ a window-based technique to predict a DDoS attack in a network with a maximum accuracy of 99.83%, if the recommended combination of feature selection and classification algorithm is chosen. The choice of both feature selection and classification algorithm is left to the user. One of the feature selection algorithms is the novel Weighted Ranked Feature Selection(WRFS) algorithm which performs better than other baseline approaches in terms of accuracy of detection and the overhead to build the model. Once the selection is made, the web application connects to the socket and starts capturing and classifying real-time network traffic. After the capture is stopped, information about attack instances (if any), number of attack packets, confusion matrix is rendered to the client using dynamic charts. The trained model used for classifying real-time packets is optimized and uses only enough attributes from the incoming packet which are necessary to successfully predict the class of that packet with high accuracy.